File name: | Quote.img.iso |
Full analysis: | https://app.any.run/tasks/27dc9bc3-29c8-4df9-8219-e3d17e3a918e |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | September 19, 2019, 09:57:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | UDF filesystem data (version 1.5) '' |
MD5: | 626B17D53A94C3B5901FF46D694E6929 |
SHA1: | E25712840F32F65968BC582F101FA3044E017415 |
SHA256: | BD8B6159AB1905DE5220D7E7D60B1AED3068BAD3A8169B4077DD5FC42E488565 |
SSDEEP: | 12288:v+XKAYnQgO5p1ZJBcaIPwOy/TKUEkPSjx8YNJoi1qofCP:WXKAH/bJur0mnV8YHnDCP |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
VolumeSize: | 1322 kB |
---|
VolumeModifyDate: | 2019:09:16 01:59:13.00-07:00 |
---|---|
VolumeCreateDate: | 2019:09:16 01:59:13.00-07:00 |
Software: | IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER! |
VolumeSetName: | UNDEFINED |
RootDirectoryCreateDate: | 2019:09:16 01:59:13-07:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 661 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2880 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Quote.img.iso" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2608 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exe | — | WinRAR.exe |
User: admin Company: sinwashing3Getae Integrity Level: MEDIUM Exit code: 0 Version: 2.01.0007 | ||||
3408 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exe | Quote.exe | |
User: admin Company: sinwashing3Getae Integrity Level: MEDIUM Version: 2.01.0007 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2880 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exe | executable | |
MD5:F6D3CA0F2E6A3EA1732006AF1CEB11F8 | SHA256:D0D3B8358A2AD65FFACB28DE98B86F6E745DBBDA6232DBC752239972745E2C80 | |||
3408 | Quote.exe | C:\Users\admin\AppData\Local\Temp\637044875517847500_2f41157a-994b-4c2c-b860-8f8454f84a42.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3408 | Quote.exe | GET | 404 | 3.224.145.145:80 | http://checkip.amazonaws.com/ | US | xml | 345 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3408 | Quote.exe | 3.224.145.145:80 | checkip.amazonaws.com | — | US | shared |
3408 | Quote.exe | 188.241.39.10:587 | helsanaa.com | Hydra Communications Ltd | GB | malicious |
Domain | IP | Reputation |
---|---|---|
checkip.amazonaws.com |
| shared |
helsanaa.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3408 | Quote.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |